Nexus7000 VPC Best Practices and Design 1
Nexus7000 VPC Best Practices and Design 1
virtual Port-Channel
Best Practices & Design
Guidelines
Technical Marketing
Data Center Switching Technology Group August 2010
version 1.3
vPC peer
Standalone
Port-channel vPC vPC member port
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
Building a vPC Domain
Peer Link
Definition:
Standard 802.1Q Trunk
vPC peer-link
Can Carry vPC and non vPC VLANs*
Carries Cisco Fabric Services messages (tagged as CoS=4 for
reliable communication)
Carries flooded traffic from a vPC peer
Carries STP BPDUs, HSRP Hellos, IGMP updates, etc.
Requirements:
Member ports must be 10GE interfaces one of the N7K-
M132XP-12 modules
Peer-link are point-to-point. No other device should be inserted
between the vPC peers.
Recommendations (strong ones!)
Minimum 2x 10GbE ports on separate cards for best resiliency.
Dedicated 10GbE ports (not shared mode ports)
*It is Best Practice to split vPC and non-vPC
VLANs on different Inter-switch Port-Channels.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
Building a vPC Domain
Peer Link with Single 10G Module
http://bock-bock.cisco.com/wiki_file/N7K:tech_resources:vpc/vPC_Single_10G_module.pptx
http://www.cisco.com/en/US/docs/switches/datacenter/sw/4_2/nx-os/interfaces/configuration/
guide/if_vPC.html#wp1529488
vPC_PL
vPC1 vPC2
Definition:
Port-channel member of a vPC peer.
Requirements:
Configuration needs to match other vPC
peer’s member port config.
In case of inconsistency a VLAN or the
entire port-channel may suspend (i.e. MTU
mismatch).
Number of member ports on both vPC
peers is not required to match. vPC
member
port
Up to 8 active ports between both vPC
peers (16-way port-channel can be build
with multi-layer vPC)
ALWAYS
dual attach devices
to a vPC Domain!!!
* VLAN that is NOT part of any vPC and not present on vPC peer-link
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19
Attaching to a vPC Domain
vPC and non-vPC VLANs (i.e. single attached .. )
P S P S
P S P S
Orphan
Ports
P S
P S
P S
P S
P Primary vPC
P
S Secondary vPC
S
P S SR PR
P S SR PRS
P
P S
1. All devices Dual Attached via vPC 2. Separate vPC and STP VLANs
SR PR
SR PR
P S
P S
P Primary vPC
P
S Secondary vPC
S
PR Primary STP Root
PR
SR Secondary STP Root
SR
Switch Switch
Po2 Po2
7k1 7k2
L3 ECMP
Po1
Router Router
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26
Layer 3 and vPC
What can happen… (1 of 3)
7k vPC
7k1 7k2 7k1 7k2
R
R
R
R could be any router, Port-channel looks like a Layer 3 will use ECMP
L3 switch or VSS single L2 pipe. Hashing for northbound traffic
building a port-channel will decide which link to
chose
1) Packet arrives at R
2) R does lookup in routing table and sees 2 equal S
paths going north (to 7k1 & 7k2) Po2
3) Assume it chooses 7k1 (ECMP decision)
4) R now has rewrite information to which router it
needs to go (router MAC 7k1 or 7k2)
5) L2 lookup happens and outgoing interface is port-
channel 1
6) Hashing determines which port-channel member is 7k1 7k2
chosen (say to 7k2)
7) Packet is sent to 7k2 Po1
8) 7k2 sees that it needs to send it over the peer-link
to 7k1 based on MAC address
Po1
Primary Secondary
vPC vPC
vPC
HSRP
HSRP Domain HSRP
HSRP Layer 3
ACTIVE
ACTIVE STANDBY
STANDBY
Aggregation
N N Secondary
Primary
Primary N N
Secondary
Root Root
Root
Root
- - - - -
- - -
Layer 2 (STP + Rootguard)
R - R - R- -R R -R - R - R-
R R R R R R R R
-
Access -
- - L
- - L
E E E E E
E E E E E
B B B B B
B B B B B Layer 2 (STP + BPDUguard)
BPDU
P
s B
Us
bridge IDs (As of 4.2(x)), this resolves the Us BP
BPD
D DU
s
need to disable the etherchannel guard BP s
-
N
E
Edge or portfast port type
Normal port type
Multi-layer vPC for Agg and DCI B
-
B
BPDUguard
F BPDUfilter
F
R Rootguard
R
DC 1 vPC domain 11
Long Distance
vPC domain 21 DC 2
CORE
- F F -
- - F F - -
- -
N N
N N
N N
N N
- - F F - -
- - F F - - R
R
- R R-
R - R
- - R R- -
AGGR
-
N N N N
N N N N
ACCESS
- -
- vPC Domain id for facing vPC layers should be different -
E No Bridge Assurance on interconnecting vPCs E
E
B
B
BPDU Filter on the edge devices to avoid BPDU propagation B
E
B
No L3 peering between DCs (i.e. L3 over vPC)
vPC vPC
CTS Manual Mode
(802.1AE 10GE line-rate
encryption)
No ACS is required
L3 CORE
OSPF
OSPF
OSPF
VLAN 99
L3 OSPF
OSPF
L2
Primary Secondary
vPC vPC
Design considerations:
• Access switches requiring services are connected to sub-
aggregation VDC
• Access switches not requiring services may be connected to
aggregation VDC
• May be extended to support multiple virtualized service
contexts by using multiple VRF instances in the sub-
aggregation VDC
Design Cautions:
• Be aware of the Layer 3 over vPC design caveat. If Peering at
Layer 3 is required across the two vPC layers an alternative
solution should be explored (i.e. using STP rather than vPC to
attach service chassis)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 45
Agenda
Feature Overview & Terminology
vPC Design Guidance & Best Practices
Building a vPC domain
Attaching to a vPC domain
Layer 3 and vPC
Spanning Tree Recommendations
Data Center Interconnect (& Encryption)
HSRP with vPC
vPC and Services
vPC latest enhancements
ISSU
N7k(config-vpc-domain)# peer-gateway
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 48
Agenda
Feature Overview & Terminology
vPC Design Guidance & Best Practices
Building a vPC domain
Attaching to a vPC domain
Layer 3 and vPC
Spanning Tree Recommendations
Data Center Interconnect (& Encryption)
HSRP with vPC
vPC and Services
vPC latest enhancements
ISSU
OSPF L3 Core
OSPF
Nexus 7000
4 E2
/1 /1
N7K-1 E2 4 N7K-2 L2/L3
OSPF
OSPF Aggregation
Po10
Nexus 7000 vPC
NOTE: Convergence numbers may vary depending on the specific configuration (i.e. scaled
number of VLANs/SVIs or HSRP groups) and traffic patterns (i.e. L2 vs L3 flows).
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 53
vPC on Nexus 7000
Scalability Number Improvements
Release Supported Scalability
N7K-Aggr N7K-Aggr
N7K-1 N7K-2
POD 1-2 VPC POD 1-2 VPC
Pod 1 Pod 2
Pod 1 Pod 2
More details on Lab Contacts and Lab Guide on the wiki:(check Lab
Materials section):
http://bock-bock.cisco.com/wiki/N7K:tech_resources:vpc
L3 Core
E2
/1
4
/1
4
E2
N7K-1 N7K-2
L2/L3 Aggregation
6K-1
6K-2 L2 Access vPC Peer Link LACP
Channel (2x10 GigE)
6500 VSS
vPC Peer-
Keepalive (GigE)